Bug allows attackers to hide addresses used to phish passwords or push malware.

A change in some early versions of Google's Chrome browser is attracting the attention of security researchers who say it can make it harder for end users to know when they're visiting a malicious site trying to push malware or phish login credentials.

The change, which is said to affect a small fraction of people running version 36 of Chrome, aka Canary, causes the browser's address bar (Google calls it the Omnibox) to no longer display the URL currently open. Instead, the domain name and any subdomains of the open page are shown immediately to the left of the Omnibox in what's dubbed the Origin Chip. Google developers haven't given a definitive explanation for the experimental change, although Jake Archibald, a developer advocate for Google Chrome, recently gave his personal thoughts here. Presumably, it's designed to keep up with various features already available in Internet Explorer, Firefox, and Safari that highlight the precise domain a browser is visiting. The features are designed to thwart attacks that rely on long, confusing addresses that can sometimes conceal the true domain that's open.

Researchers at PhishMe, a company that helps prevent organizations from falling victim to phishing and malware attacks, have been testing the trial interface and have found behavior they say could make it easier for attackers to fool end users. By loading up an address with long strings of characters, the researchers were able to completely suppress both the domain name and other address parameters in both the Omnibox and Origin Chip. For instance, when the PhishMe researchers entered the URL "hxxp://this.is.a.test.for.longurl.to.test.the.canary.property.in.the.new.chrome.browser.and.see.if.it.works.DOMAINNAME.com/CheckingNowWithSampleURLInHere/eb31ac/?login_id=48ea2b9a-4f1b-4bbb-b573-89524db025e9" (minus the quotes), the Chrome interface looked like this:

"By burying the concept of URL, or by making this setting permanent in the future versions of Chrome, users will not know the exact link or domain they are visiting, since the URL in the Omnibox disappears, meaning that even security savvy users who have been trained to recognize malicious URLs will be at risk," PhishMe analysts Aaron Higbee and Shyaam Sundhar wrote in a blog post published Tuesday. They called on Google developers to tweak the change, possibly by keeping the entire URL intact, but following the lead of other browsers and putting a visual emphasis on the root domain.

Tuesday's blog post came a week after other bloggers first bemoaned the change. Critics said the added "Enable origin chip in Omnibox" flag made the Web less usable by burying functionality many people found useful. Now that there's a viable case to be made that the move can actually diminish, rather than improve, end-user security, making the change permanent will likely be an even harder sell.

Interestingly, the PhishMe testing showed that the URL lengths required to hide the domain name varied depending on the current window size of the browser. When at default size, URLs with 99 or more characters will trigger the bug. Reducing the window size similarly reduces the number of characters required to hide the address. In fairness to Google, people should never use the extremely unstable Chrome Canary browser versions in mission-critical environments where security is paramount. Still, the PhishMe results provide a compelling case why Google developers should rework this feature before considering it fit for mainstream use.

Promoted Comments

I'm a bit confused as to why everybody seems to think this shouldn't have been reported. Should Ars and other sites have simply waited to say anything about the possible security implications until this ended up in a release build of Chrome? Because I don't think that'd be doing Google or Chrome users any kind of service.